Address Resolution Protocol Yasir Jan 20 th March 2008 Future Internet

Contents  Address Resolution Protocol  Real World Example  ARP Working  ARP through Router  Gratuitous ARP  ARP Flooding  ARP Spoofing  Reverse Address Resolution Protocol  RARP Limitations  Network Technologies  Packet Formats  Conclusion

Address Resolution Protocol  ARP is the protocol used for mapping network layer address to its data link layer address.  Primarily used for translating IP address to Ethernet MAC address.  If a packets destination is on the same local network as the senders, then the sender needs to resolve the destinations IP address into a physical hardware address, otherwise the sender needs to resolve the routers IP address into a physical hardware address.

Real World Example: Sending Parcel  Andy wants to send a parcel to Evan  Andy doesn’t know the room number of Evan  How will he send it?

Real World Example: Sending Parcel  Step1: Andy sends a request to all rooms (broadcast request), to find room of Evan  Request message includes Sender: Andy Sender Room: 1 Destination: Evan Destination Room: ?

Real World Example: Sending Parcel  Step 2: Only Evan accepts the request  Evan has the info of Andy from the request parcel  Evan stores the room information of Andy for future purposes  Other people discard the request

Real World Example: Sending Parcel  Step 3:Evan sends a reply to Andy only  Reply includes Sender : Evan Sender Room: 3 Destination: Andy Destination: 1

Real World Example: Sending Parcel  Step 4: Andy notes down the room number of Evan for future purposes  Step 5: Andy sends the actual parcel to Evan, using his room information given in the reply

ARP Working  When ARP needs to resolve a given IP address to Ethernet address, it broadcasts an ARP request packet.  The ARP request packet contains the source MAC address and the source IP address and the destination IP address.  The host with the specified destination IP address, sends an ARP reply packet to the originating host with its IP address

ARP Request  Suppose device A wants to send a packet to device C  A first checks the cache for MAC address of C  If cache has no entry then A broadcasts an ARP request

ARP Reply  C identifies request for itself so only C replies, other discard the request  C knows MAC address of A, so it sends ARP Reply only to A  Reply has the MAC address of C  C also updates its cache with MAC address of A, for future transmission

Final Data Transmission  After A gets ARP reply from C, it updates its cache with C’s MAC address  Then sends the data packet from A to C

Caching  Mapping between IP address and MAC address are cached in a memory table, for future transmission.  A new entry is added to the ARP cache when an IP address is successfully mapped to a MAC address. Usually, entries are added dynamically to the ARP cache. Static entries can also be added.  New address are overwritten on old addresses.  An entry in an ARP cache is removed after a pre- determined timeout period  A host will update its ARP cache, only if the ARP request is for its IP address. Otherwise, it will discard the ARP request  If host updates cache with any ARP requests, it will exhaust the ARP cache with a lot of unused ARP entries.

ARP through Router  Suppose A wants to send packet to C, which is on other network, connected through a router  A will detect C being out of network, so it will send data to the gateway  If A does not know MAC address of gateway, it will send ARP to router for getting its address.

ARP through Router … contd…  Router will send a ARP reply to A  Router will update its cache with A’s address  ARP reply will only got to A, because Router has A’s MAC address

ARP through Router … contd…  After ARP reply from router A will have MAC address of router  A will send data of C to Router

ARP through Router … contd…  Router will forward the data from A to C  Incase, router does not know the MAC address of C, it will broadcast an ARP request  C will send ARP reply and let know the router with its address  Then router will send the data to C

Gratuitous ARP  An ARP request packet where the source and destination IP are both set to the IP of the machine issuing the packet and the destination MAC is the broadcast address  Ordinarily, no reply packet will occur. A gratuitous ARP reply is a reply to which no request has been made.  Gratuitous ARP request or gratuitous ARP reply is not normally needed according to the ARP specification (RFC 826) but could be used in some cases.

Gratuitous ARP uses  Detect IP conflicts: When a machine receives an ARP request containing a source IP that matches its own, then it knows there is an IP conflict.  Clustering: Assist in the updating of other machines' ARP tables. Clustering solutions utilize this when they move an IP from one NIC to another, or from one machine to another. Other machines maintain an ARP table that contains the MAC associated with an IP. When the cluster needs to move the IP to a different NIC, be it on the same machine or a different one, it reconfigures the NICs appropriately then broadcasts a gratuitous ARP reply to inform the neighboring machines about the change in MAC for the IP. Machines receiving the ARP packet then update their ARP tables with the new MAC.

Gratuitous ARP uses…contd  Inform switch: They inform switches of the MAC address of the machine on a given switch port, so that the switch knows that it should transmit packets sent to that MAC address on that switch port.  Link up event: Every time an IP interface or link goes up, the driver for that interface will typically send a gratuitous ARP to preload the ARP tables of all other local hosts. Thus, a gratuitous ARP will tell us that that host just has had a link up event, such as a link bounce, a machine just being rebooted or the user/sysadmin on that host just configuring the interface up. If we see multiple gratuitous ARPs from the same host frequently, it can be an indication of bad Ethernet hardware/cabling resulting in frequent link bounces.

ARP Flooding  Several viruses send a lot of ARP traffic in an attempt to discover hosts to infect  A lot of ARP traffic from a single machine, looking for MAC addresses for many of the IP addresses on your local network, there might be a virus on your network that's scanning your network for machines to infect. It's been claimed that the Wootbot virus does this.

ARP Spoofing  Attacker will know about all data transferring on network  An attacker in a network may reply to all ARP requests with its own MAC address  Attacker will maintain its table with actual addresses  Every host will send data to the attacker  Attacker will maintain two way transmission between devices, by forwarding and replying all data through itself

Reverse Address Resolution Protocol  Reverse Address Resolution Protocol (RARP) is a network layer protocol used to obtain an IP address for a given hardware address (such as an Ethernet address)  Network hosts such as diskless workstations frequently do not know their protocol addresses when booted; they often know only their hardware interface addresses. It has to discover protocol address from external source  It has been rendered obsolete by Bootstrap Protocol and the more modern Dynamic Host configuration Protocol, which both support a much greater feature set than RARP.

RARP server  All the mappings between the hardware MAC addresses and the IP addresses of the hosts are stored in a configuration file in a host in the network, called RARP server  This server responds to all the RARP requests  When RARP server receives RARP request packet, it looks up this MAC address in the configuration file and determines the corresponding IP address. It then sends this IP address in the RARP reply packet

Limitations of RARP  The primary limitations of RARP are that each MAC address must be manually configured on a central server, and that the protocol only conveys an IP address  Another limitation of RARP compared to BOOTP or DHCP is that it is a non-IP protocol. This means that like ARP it cannot be handled by the TCP/IP stack on the client, but is instead implemented separately  RARP also differs from Inverse Address Resolution Protocol (InARP), which is designed to locate the IP address associated with another station's MAC address.

Network Technologies  ARP networks Can be used in any type of broadcast network. Used in LAN technologies like Ethernet, Token Ring, FDDI, IEEE ATM has no broadcast method, but we can use ARP on it  RARP Networks RARP is available for Ethernet, Fiber Distributed-Data Interface, and Token Ring LANs.

ARP and RARP Packet  RARP and ARP has same structure of packet  Hardware Type 1=Ethernet 4=Token Ring etc  Type of operation. 1=ARP request, 2=ARP reply, 3=RARP request, 4=RARP reply  Hardware address (6 bytes)  IP address (4 bytes)

Conclusion  ARP and RARP are used to map MAC to IP and IP to MAC addresses respectively  ARP and RARP has same packet format  RARP is almost obsolete  ARP is mainly used on networks with broadcasting  RARP needs a database on network to maintain list of addresses

References  Wikipedia  rk/rarp.html  rk/arp.html  uide/netarp.html   tm 

Thankyou